vrr/g3
2
0
Fork 0
mirror of https://github.com/bytedance/g3.git synced 2026-05-02 13:40:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
zhangjingqiang 2023-03-09 17:55:45 +08:00
commit 13716f4923
1425 changed files with 163227 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

44
g3proxy/doc/configuration/user_group/audit.rst Normal file
View file

@ -0,0 +1,44 @@
.. _configuration_user_group_user_audit:
**********
User Audit
**********
.. versionadded:: 1.7.0
The user audit config is in map format. We will use this to specify user level audit actions.
enable_protocol_inspection
--------------------------
**optional**, **type**: bool
Whether protocol inspection functionality should be enabled.
Protocol inspection will be enabled if true, and if audit is also enabled at both server and user side, for a specific user request.
**default**: false
prohibit_unknown_protocol
-------------------------
**optional**, **type**: bool
Whether unknown protocol will be prohibited when protocol inspection is enabled.
**default**: false
application_audit_ratio
-----------------------
**optional**, **type**: :ref:`random ratio <conf_value_random_ratio>`
Set the application audit (like ICAP REQMOD/RESPMOD) ratio for incoming user requests.
This also controls whether protocol inspection is really enabled for a specific user request.
If set, this will override the :ref:`application audit ratio <conf_auditor_application_audit_ratio>` config at auditor side.
**default**: not set
.. versionadded:: 1.7.4

67
g3proxy/doc/configuration/user_group/index.rst Normal file
View file

@ -0,0 +1,67 @@
.. _configuration_user_group:
**********
User Group
**********
.. toctree::
:maxdepth: 2
user
source
audit
site
The type for each user group config is *map*, with two always required keys:
* *name*, which specify the name of the user group.
* *type*, which specify the real type of the user group, decides how to parse other keys.
For now, we only support *hashed_user* type of user group. We may add a *gss_api* type after sometime.
The real auth type used in each protocol is determined by the type of user group.
See documentation for each server type for the mapping.
Group types
===========
hashed_user
-----------
This type of user group is consist of users that store hashed passwords. The clear text password must be transported
to server, so we can calc its hash and compare with the ones in config.
The users are split into two groups: static and dynamic. The static users is configured with key *static_users*
in config file, each in yaml format. The dynamic users are fetched from *dynamic_source* periodically, each in json
format. Both can be optional and share the same data structure.
* static_users
**optional**, **type**: seq
Static user can be added in this array.
See :ref:`user <configuration_user_group_user>` for detailed structure of user.
* source
**optional**, **type**: :ref:`url str <conf_value_url_str>` | map
Set the fetch source for dynamic users.
We support many type of sources. The type is detected by reading the *scheme* field of url,
or the *type* key of the map. See :ref:`source <configuration_user_group_source>` for all supported type of sources.
Dynamic users will be updated if they exist already. If the fetch fail, we will continue keep the old users.
**default**: not set
.. _conf_user_group_refresh_interval:
* refresh_interval
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the check interval for user expiration and the fetch interval for dynamic users.
**default**: 60s

70
g3proxy/doc/configuration/user_group/site.rst Normal file
View file

@ -0,0 +1,70 @@
.. _configuration_user_group_user_site:
*********
User Site
*********
.. versionadded:: 1.3.4
The user site config is in map format. We can set how to match this site, enable site level metrics, or do any other
site level config.
.. _conf_user_group_user_site_id:
id
--
**required**, **type**: :ref:`metrics name <conf_value_metrics_name>`
Each site should have an ID, and it will be used in metrics name if enabled.
exact_match
-----------
**optional**, **type**: :ref:`host <conf_value_host>`
Set the exact domain or the exact target IP in user request which we should match.
.. note:: the value should be different within all sites config of the current user.
child_match
-----------
**optional**, **type**: :ref:`domain <conf_value_domain>`
Set the parent domain and all it's child domains will be matched.
.. note:: the value should be different within all sites config of the current user.
subnet_match
------------
**optional**, **type**: :ref:`ip network str <conf_value_ip_network_str>`
Set the network to match if the target is IP address in user request.
.. note:: the value should be different within all sites config of the current user.
emit_stats
----------
**optional**, **type**: bool
Set whether we should emit site level stats for this site.
See :ref:`user site metrics <metrics_user_site>` for the definition of metrics.
**default**: false
resolve_strategy
----------------
**optional**, **type**: :ref:`resolve strategy <conf_value_resolve_strategy>`
Set a custom resolve strategy at user-site level, which will override the one at user level,
but still within the range of the one set on the escaper.
Not all escapers support this, see the documentation for each escaper for more info.
**default**: not custom resolve strategy is set
.. versionadded:: 1.7.10

250
g3proxy/doc/configuration/user_group/source.rst Normal file
View file

@ -0,0 +1,250 @@
.. _configuration_user_group_source:
******
Source
******
For the *map* format, the **type** key should always be set.
file
====
Fetch dynamic users from a local file.
The content of the file should be the json encoded string of all dynamic users.
The keys used in *map* format are:
* path
**required**, **type**: :ref:`file path <conf_value_file_path>`
Set path for the file. The file should be existed before start the daemon.
* format
**optional**, **type**: :ref:`config file format <conf_value_config_file_format>`
Set the file format for the file specified in *path*.
**default**: If the file has extension, the extension will be used to detect the format.
If not format can be detected through extension, *yaml* will be used.
For *url* str values, the *path* should be an absolute path with the following format:
file://<path>[?[format=<format>]]
http
====
Fetch dynamic users through an http GET request.
The success response code should be 200, and the body should be the json encoded string of all dynamic users.
The keys used in *map* format are:
* url
**required**, **type**: :ref:`url str <conf_value_url_str>`
Set the url to GET.
* cache_file
**required**, **type**: :ref:`file path <conf_value_file_path>`
The local file to cache remote results, it will be used during initial load of the user group.
The file will be created if not existed.
* timeout
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the timeout value for the whole request.
It's not recommended to set the timeout value greater the :ref:`refresh_interval <conf_user_group_refresh_interval>`
in group config.
**default**: 10s
* connect_timeout
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the connect timeout value.
It's not recommended to set the timeout value greater the :ref:`refresh_interval <conf_user_group_refresh_interval>`
in group config.
**default**: 5s
.. versionadded:: 1.2.0
* interface
**optional**, **type**: str
Set the bind IP or bind interface.
**default**: not set
.. versionadded:: 1.2.0
* max_body_size
**optional**, **type**: :ref:`humanize size <conf_value_humanize_usize>`
Set the max body size.
**default**: 64MiB
lua
===
.. versionadded:: 1.1.3
Fetch users through local lua script.
.. note::
Environment variable `LUA_PATH`_ and `LUA_CPATH`_ can be set to include more lua module files.
Any ";;" in the value of the *LUA_PATH* environment variable will be replaced by the default path.
.. _LUA_PATH: https://www.lua.org/manual/5.1/manual.html#pdf-package.path
.. _LUA_CPATH: https://www.lua.org/manual/5.1/manual.html#pdf-package.cpath
The return value of the script should be the json encoded string of all dynamic users.
The keys used in *map* format are:
* cache_file
**required**, **type**: :ref:`file path <conf_value_file_path>`
The local file to cache results, it will be used during initial load of the user group.
The file will be created if not existed.
* fetch_script
**required**, **type**: :ref:`file path <conf_value_file_path>`
The path of the lua script to fetch dynamic users.
The content of this script file should be like:
.. code-block:: lua
-- TODO fetch users
local result = "[]"
-- return the json encoded string
return result
**alias**: script
* fetch_timeout
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the timeout value for the execution of the fetch script.
It's not recommended to set the timeout value greater the :ref:`refresh_interval <conf_user_group_refresh_interval>`
in group config.
**default**: 30s, **alias**: timeout
* report_script
**optional**, **type**: :ref:`file path <conf_value_file_path>`
The path of the lua script to report the parse result of the fetched dynamic users.
Two global functions should be defined in this script, like this:
.. code-block:: lua
function reportOk ()
-- takes no argument
end
function reportErr (errMsg)
-- takes one argument, which the error message string
end
.. versionadded:: 1.4.1
* report_timeout
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the timeout value for the execution of the report script.
It's not recommended to set the timeout value greater the :ref:`refresh_interval <conf_user_group_refresh_interval>`
in group config.
**default**: 15s, **alias**: timeout
.. versionadded:: 1.4.1
python
======
.. versionadded:: 1.5.0
Fetch users through local python script.
The keys used in *map* format are:
* cache_file
**required**, **type**: :ref:`file path <conf_value_file_path>`
The local file to cache results, it will be used during initial load of the user group.
The file will be created if not existed.
* script
**required**, **type**: :ref:`file path <conf_value_file_path>`
The path of the python script.
Three global functions should be defined in this script, like this:
.. code-block:: python
def fetch_users():
# required, takes no argument, returns the json string
return "[]"
def report_ok():
# optional, takes no argument
pass
def report_err(errmsg):
# optional, takes one positional argument, which is the error message string
pass
* fetch_timeout
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the timeout value for the execution of the fetch function.
It's not recommended to set the timeout value greater the :ref:`refresh_interval <conf_user_group_refresh_interval>`
in group config.
**default**: 30s, **alias**: timeout
* report_timeout
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Set the timeout value for the execution of the report functions.
It's not recommended to set the timeout value greater the :ref:`refresh_interval <conf_user_group_refresh_interval>`
in group config.
**default**: 15s, **alias**: timeout

324
g3proxy/doc/configuration/user_group/user.rst Normal file
View file

@ -0,0 +1,324 @@
.. _configuration_user_group_user:
****
User
****
The user config is in map format. We can specify how to authenticate the user, set limitations and we may also specify
som custom actions for each user.
name
----
**required**, **type**: :ref:`username <conf_value_username>`
Set the username.
token
-----
**required**, **type**: mix
Set the token used to authenticate the user. The token can be in the following types:
* str
The value should be a string in unix format, see crypt(5).
* map
The key *type* specify the real type.
* fast_hash
A custom type. We use salt, and one or more value of md5, sha1, blake3. The hash is weak, but fast.
The values for *salt*, *md5*, *sha1*, *blake3* should be in hex encoded ascii string.
* xcrypt_hash
The required key is *value*, which value should be a valid crypt(5) string.
The currently supported crypt(5) methods are: md5, sha256, sha512.
expire
------
**optional**, **type**: :ref:`rfc3339 datetime str <conf_value_rfc3339_datetime_str>`
Set when the user should be considered expired. The check interval is set by
:ref:`refresh interval <conf_user_group_refresh_interval>` in group config.
**default**: not set
block_and_delay
---------------
**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
Block the user, and delay sending of the error response by the specified duration.
The response code for blocked user will be forbidden instead of auth failed.
**default**: not set
proxy_request_filter
--------------------
**optional**, **type**: :ref:`proxy request acl rule <conf_value_proxy_request_acl_rule>`
Set the proxy request types that we should handle.
**default**: not set
dst_host_filter_set
-------------------
**optional**, **type**: :ref:`dst host acl rule set <conf_value_dst_host_acl_rule_set>`
Set the filter for dst host of each request, which means it won't apply to udp associate tasks.
**default**: not set
dst_port_filter
---------------
**optional**, **type**: :ref:`exact port acl rule <conf_value_exact_port_acl_rule>`
Set the filter for dst port of each request, which means it won't apply to udp associate tasks.
**default**: not set
http_user_agent_filter
----------------------
**optional**, **type**: :ref:`user agent acl rule <conf_value_user_agent_acl_rule>`
Set the filter for HTTP User-Agent header.
.. note:: This only applies to layer-7 http traffic, including http forward and https forward.
**default**: not set
tcp_connect
-----------
**optional**, **type**: :ref:`tcp connect <conf_value_tcp_connect>`
Set user level tcp connect params, which will take effect for *direct* type escapers.
And this will be limited by the escaper level settings.
**default**: not set
tcp_sock_speed_limit
--------------------
**optional**, **type**: :ref:`tcp socket speed limit <conf_value_tcp_sock_speed_limit>`
Set speed limit for each tcp socket.
**default**: no limit, **alias**: tcp_conn_speed_limit | tcp_conn_limit
.. versionchanged:: 1.4.0 changed name to tcp_sock_speed_limit
udp_sock_speed_limit
---------------------
**optional**, **type**: :ref:`udp socket speed limit <conf_value_udp_sock_speed_limit>`
Set speed limit for each udp socket.
**default**: no limit, **alias**: udp_relay_speed_limit | udp_relay_limit
.. versionchanged:: 1.4.0 changed name to udp_sock_speed_limit
tcp_remote_keepalive
--------------------
**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
Set tcp keepalive for the remote tcp socket.
The tcp keepalive set in user config will only be taken into account in Direct type escapers.
**default**: no keepalive set
tcp_remote_misc_opts
--------------------
**optional**, **type**: :ref:`tcp misc sock opts <conf_value_tcp_misc_sock_opts>`
Set misc tcp socket options for the remote tcp socket.
The user level TOS and Mark config will overwrite the one set at escaper level.
Other fields will be limited to the smaller ones.
**default**: not set
udp_remote_misc_opts
--------------------
**optional**, **type**: :ref:`udp misc sock opts <conf_value_udp_misc_sock_opts>`
Set misc udp socket options for the remote udp socket.
The user level TOS and Mark config will overwrite the one set at escaper level.
Other fields will be limited to the smaller ones.
**default**: not set
tcp_client_misc_opts
--------------------
**optional**, **type**: :ref:`tcp misc sock opts <conf_value_tcp_misc_sock_opts>`
Set misc tcp socket options for the client tcp socket before task connecting stage.
The user level TOS and Mark config will overwrite the one set at escaper level.
Other fields will be limited to the smaller ones.
**default**: not set
udp_client_misc_opts
--------------------
**optional**, **type**: :ref:`udp misc sock opts <conf_value_udp_misc_sock_opts>`
Set misc udp socket options for the client udp socket.
The user level TOS and Mark config will overwrite the one set at server level.
Other fields will be limited to the smaller ones.
**default**: not set
http_upstream_keepalive
-----------------------
**optional**, **type**: :ref:`http keepalive <conf_value_http_keepalive>`
Set http keepalive config at user level.
**default**: set with default value
tcp_conn_rate_limit
-------------------
**optional**, **type**: :ref:`rate limit quota <conf_value_rate_limit_quota>`
Set rate limit on client side new connections.
The same connection used for different users will be counted for each of them.
**default**: no limit, **alias**: tcp_conn_limit_quota
.. versionadded:: 1.4.0
request_rate_limit
------------------
**optional**, **type**: :ref:`rate limit quota <conf_value_rate_limit_quota>`
Set rate limit on request.
**default**: no limit, **alias**: request_limit_quota
request_max_alive
-----------------
**optional**, **type**: usize, **alias**: request_alive_max
Set max alive requests at user level.
Even if not set, the max alive requests should not be more than usize::MAX.
**default**: no limit
resolve_strategy
----------------
**optional**, **type**: :ref:`resolve strategy <conf_value_resolve_strategy>`
Set an user custom resolve strategy, within the range of the one set on the escaper.
Not all escapers support this, see the documentation for each escaper for more info.
**default**: not custom resolve strategy is set
resolve_redirection
-------------------
**optional**, **type**: :ref:`resolve redirection <conf_value_resolve_redirection>`
Set the dns redirection rules at user level.
**default**: not set
log_rate_limit
--------------
**optional**, **type**: :ref:`rate limit quota <conf_value_rate_limit_quota>`
Set rate limit on log request.
**default**: no limit, **alias**: log_limit_quota
.. _config_user_log_uri_max_chars:
log_uri_max_chars
-----------------
**optional**, **type**: usize
Set the max number of characters of uri should be logged in logs.
If set, this will override the one set in server level.
If not set, the one in server level will take effect.
The password in uri will be replaced by *xyz* before logging.
**default**: not set
task_idle_max_count
-------------------
**optional**, **type**: i32
The task will be closed if the idle check return IDLE the times as this value.
This will overwrite the one set at server side,
see :ref:`server task_idle_max_count <conf_server_common_task_idle_max_count>`.
The idle check interval can only set at server side,
see :ref:`server task_idle_check_duration <conf_server_common_task_idle_check_duration>`.
**default**: 1
socks_use_udp_associate
-----------------------
**optional**, **type**: bool
Set if we should use socks udp associate instead of the simplified udp connect method.
**default**: false
.. versionadded:: 1.3.0
audit
-----
**optional**, **type**: :ref:`user audit <configuration_user_group_user_audit>`
Set audit config for this user.
**default**: set with default values
.. versionadded:: 1.7.0
explicit_sites
--------------
**optional**, **type**: seq of :ref:`user site <configuration_user_group_user_site>`
Set explicit sites for this user.
.. versionadded:: 1.3.4